01-06-2015, 10:43 AM
(01-06-2015, 09:49 AM)Sc00bz Wrote: Azren, I think epixoip missed this line:
Code:$key = trim($username).trim($cleartext_password);
This is a very weird construction it's encrypting the password with the password. You can think of this like the LM hash. It would be interesting to know what the decrypt function does to the key. I assume SHA256 (or some other hash) or padding. Also if you can find the "encrypt" function just to make sure the IV isn't stupid, but this might be apparent from the decrypt function (ie null or fixed IV). Nice thing is it leaks the password length. So cracking can go much faster by dropping incorrect length passwords.
Anyway this is probably not a common hash so it would be unlikely for Atom to add it.
Ha, yeah, you're right, I totally missed that line. So it is indeed encrypting the password with the password.
It does some weird shit to the key. If the keysize is >= 32 chars and the key is not exactly 32 chars, it hashes it with md5. Doesn't seem to do any padding at all if keysize is > 32 and it hashes it with md5. If keysize is < 32 then it either pads it with spaces or truncates the key. Which is sweet if you have a really long username
Looks like the IV is stored in the database as part of the "hash" string.
This is some ridiculously goofy code. What is this from??